Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.

Monday, February 28, 2011

More NetWitness Investigator

To import packets into Investigator, you need to create a collection (the default collection, as we saw, is simply called "Demo Collection". Create a new collection (Ctrl-L or use the menu), and then you can import your pcap file. The capture must be 1 GB or less, and you can have 25 simultaneous captures at any one time.
Double click your new collection, and after a second or so, you should see it's status change to ready. Now you can right-click on it and choose "Import Packets". Browse to where you've saved your pcap file (hopefully you captured it with full packet data), and you'll see the import process begin. Depending on how much of your 1 GB limit you used, this may take a little while. Once you get the "ready" status once more, double click your collection once more and open it up..

Here we see all of our source and destinations, aliases, content types, ports and services used... and in the lower part of the report, (below) we have counties and cities involved (mine always has Beijing, as does probably yours) and organizations.

Since we see some of our hourly packets from China there, we can now drill down and see that kind of traffic they entail. Clicking on the number in parentheses (the packet count) after Beijing takes us to a nice sessions screen with our summaries for each packet...

I'm redacting my IP address here, replacing it with x.x.x.x, but you get the idea.. Now I can zoom in on the packet data.. and see that as we mouse over each field in the packet header, we get a little pop up telling us the field and doing the hex conversion for us.

We have all the summary information of all packets in the capture to look at. We can, in a few mouse clicks, go from the high overhead view down to the single packet, to any field in that packet, and see it's identification and conversion, if needed. Pulling all this information out manually, then drilling down to granular of a level, even with scripting, would take far, far longer.
Next we need to explore using Investigator to do the data capture itself.